Back to glossary

Session Hijacking

The exploitation of a valid computer session to gain unauthorized access to information or services in a computer system.

Categorysecurity

Overview

Session hijacking (or 'cookie hijacking') occurs when an attacker steals a user's session token (usually stored in a cookie) and uses it to impersonate the user. This allows the attacker to bypass the login process entirely.

Common Methods

  • Cross-Site Scripting (XSS): Using a script to steal the document.cookie.
  • Session Sidejacking: Intercepting unencrypted session cookies over public Wi-Fi.
  • Session Fixation: Tricking a user into using a session ID known to the attacker.

Prevention

  • HTTPS: Encrypting all traffic to prevent interception.
  • HttpOnly Cookie Attribute: Preventing JavaScript from accessing the cookie.
  • Secure Cookie Attribute: Ensuring the cookie is only sent over HTTPS.
  • Session Timeout: Automatically invalidating sessions after a period of inactivity.